Working setup v1

2025-01-23 05:12:20 +01:00 · 2022-11-19 14:44:58 +01:00 · 2022-11-19 14:44:58 +01:00 · e26aff43bc
commit e26aff43bc
parent ef88c67176
7 changed files with 216 additions and 32 deletions
--- a/config/hugo/Dockerfile
+++ b/config/hugo/Dockerfile
@ -0,0 +1,30 @@
 FROM alpine
 LABEL description="Hugo static build process."
 LABEL maintainer="Lieuwe Leene <lieuwe@leene.dev>"
 ARG HUGO_BASE="localhost"
 ARG SSL_ALGO=secp521r1
 RUN wget -O - "https://github.com/gohugoio/hugo/releases/download/$(wget -O - https://api.github.com/repos/gohugoio/hugo/releases/latest | grep -om 1 "/v[0-9.]*/hugo_[0-9.]*_Linux-64bit.tar.gz")" | tar -xz -C /tmp \
    && mkdir -p /usr/local/sbin \
    && mv /tmp/hugo /usr/local/sbin/hugo \
    && rm -rf /tmp/${HUGO_ID}_linux_amd64 \
    && rm -rf /tmp/LICENSE.md \
    && rm -rf /tmp/README.md
 RUN apk add --update git asciidoctor libc6-compat libstdc++ \
    && apk upgrade \
    && apk add --no-cache ca-certificates \
    && git clone https://github.com/lleene/hugo-site.git /src \
    && git clone https://github.com/lleene/hermit.git /src/themes/hermit \
    && /usr/local/sbin/hugo -b ${BASE_URL}/ -s /src -d /public --minify
 RUN apk update && \
  apk add --no-cache openssl && \
  rm -rf /var/cache/apk/*
 RUN mkdir -p /etc/letsencrypt/live
 RUN openssl ecparam -name ${SSL_ALGO} -genkey | openssl pkey -out /etc/letsencrypt/live/ecprivkey.pem && \
    openssl pkey -in /etc/letsencrypt/live/ecprivkey.pem -pubout -out /etc/letsencrypt/live/ecpubkey.pem
--- a/config/hugo/configure
+++ b/config/hugo/configure
@ -3,7 +3,7 @@ server {
    listen  [::]:${VIRTUAL_PORT};
    server_name ${VIRTUAL_HOST};
    location / {
-        root   /usr/share/nginx/html;
+        root   /var/www/html;
        index  index.html index.htm;
    }
    error_page   500 502 503 504  /50x.html;
--- a/config/mail/Dockerfile
+++ b/config/mail/Dockerfile
@ -1,14 +0,0 @@
 FROM alpine
 MAINTAINER Lieuwe Leene
 ARG SSL_ALGO=secp521r1
 RUN apk update && \
  apk add --no-cache openssl && \
  rm -rf /var/cache/apk/*
 RUN mkdir -p /etc/letsencrypt/live
 RUN openssl ecparam -name ${SSL_ALGO} -genkey | openssl pkey -out /etc/letsencrypt/live/ecprivkey.pem && \
    openssl pkey -in /etc/letsencrypt/live/ecprivkey.pem -pubout -out /etc/letsencrypt/live/ecpubkey.pem
--- a/config/mail/config.php
+++ b/config/mail/config.php
@ -0,0 +1,19 @@
 <?php
    $config['imap_host'] = 'tls://mailserver:143';
    $config['smtp_host'] = 'tls://mailserver:587';
    $config['imap_conn_options'] = array(
        'ssl'         => array(
            'verify_peer'  => false,
            'verify_peer_name' => false,
            'allow_self_signed' => true,
        ),
    );
    $config['smtp_conn_options'] = array(
        'ssl'         => array(
            'verify_peer'  => false,
            'verify_peer_name' => false,
            'allow_self_signed' => true,
        ),
    );
--- a/config/nginx/header_default
+++ b/config/nginx/header_default
@ -0,0 +1,17 @@
 ## Start of configuration add by letsencrypt container
 location ^~ /.well-known/acme-challenge/ {
    auth_basic off;
    auth_request off;
    allow all;
    root /usr/share/nginx/html;
    try_files $uri =404;
    break;
 }
 ## End of configuration add by letsencrypt container
 add_header Referrer-Policy "no-referrer" always;
 add_header X-Content-Type-Options "nosniff" always;
 add_header X-Download-Options "noopen" always;
 add_header X-Frame-Options "SAMEORIGIN" always;
 add_header X-Permitted-Cross-Domain-Policies "none" always;
 add_header X-Robots-Tag "none" always;
 add_header X-XSS-Protection "1; mode=block" always;
--- a/config/nginx/nextcloud_location
+++ b/config/nginx/nextcloud_location
@ -0,0 +1,94 @@
 root  /var/www/nextcloud;
 index  index.php index.html index.htm;
 # set max upload size
 client_max_body_size 512M;
 fastcgi_buffers 64 4K;
 # Enable gzip but do not remove ETag headers
 gzip on;
 gzip_vary on;
 gzip_comp_level 4;
 gzip_min_length 256;
 gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
 gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
 }
 location = /.well-known/carddav {
    return 301 $scheme://$host:$server_port/remote.php/dav;
 }
 location = /.well-known/caldav {
    return 301 $scheme://$host:$server_port/remote.php/dav;
 }
 location / {
    rewrite ^ /index.php;
 }
 location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
    deny all;
 }
 location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
    deny all;
 }
 location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) {
    fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
    set $path_info $fastcgi_path_info;
    try_files $fastcgi_script_name =404;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $path_info;
    fastcgi_param HTTPS on;
    # Avoid sending the security headers twice
    fastcgi_param modHeadersAvailable true;
    # Enable pretty urls
    fastcgi_param front_controller_active true;
    fastcgi_pass nextcloud.zathura.leene.dev;
    fastcgi_intercept_errors on;
    fastcgi_request_buffering off;
 }
 location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
    try_files $uri/ =404;
    index index.php;
 }
 # Adding the cache control header for js, css and map files
 # Make sure it is BELOW the PHP block
 location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
    try_files $uri /index.php$request_uri;
    add_header Cache-Control "public, max-age=15778463";
    # Add headers to serve security related headers (It is intended to
    # have those duplicated to the ones above)
    # Before enabling Strict-Transport-Security headers please read into
    # this topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;
    # Optional: Don't log access to assets
    access_log off;
 }
 location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ {
    try_files $uri /index.php$request_uri;
    # Optional: Don't log access to other assets
    access_log off;
 }
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@ -3,52 +3,89 @@ version: "3.8"
 networks:
  internalnet:
-    driver: bridge
+    # driver: bridge
-    enable_ipv6: false
+    # enable_ipv6: false
 x-mail: &defaults
  restart: always
  env_file: local.env
  networks:
    - internalnet
 services:
  hugo-html:
    container_name: hugo-html
    build:
      context: ./config/hugo
      args:
        HUGO_BASE: lieuwe.${NGINX_HOST}
    volumes:
      - hugo_data:/public:z
      - nginx_certs:/etc/letsencrypt/live:z
  hugo-site:
    <<: *defaults
    container_name: hugo-site
    image: nginx:alpine
    environment:
      - VIRTUAL_HOST=lieuwe.${NGINX_HOST}
      - VIRTUAL_PORT=6262
      - VIRTUAL_PROTO=http
      - VIRTUAL_HOST=lieuwe.${NGINX_HOST}
      - LETSENCRYPT_HOST=lieuwe.${NGINX_HOST}
    volumes:
-      - ./config/hugo/public:/usr/share/nginx/html:ro,z
+      - hugo_data:/var/www/html:ro,z
      - ./config/hugo/configure:/etc/nginx/templates/default.conf.template:ro,z
-    restart: always
+    ports:
-    expose:
+      - "6262:6262"
      - "6262"
  pgsqlserver:
    <<: *defaults
    container_name: pgsqlserver
    image: postgres:15
    environment:
-      - POSTGRES_MULTIPLE_DATABASES=gitea, roundcube
+      - POSTGRES_MULTIPLE_DATABASES=gitea, roundcube, nextcloud
      - POSTGRES_PASSWORD=${SQL_PSWD}
    volumes:
      - sql_data:/var/lib/postgresql/data/:z
      - ./config/pg-init-scripts:/docker-entrypoint-initdb.d:ro,z
-    restart: always
+    ports:
      - "5432:5432"
  nextcloud:
    <<: *defaults
    image: nextcloud:fpm
    container_name: nextcloud
    environment:
      - VIRTUAL_HOST=nextcloud.${NGINX_HOST}
      - VIRTUAL_PORT=9000
      - LETSENCRYPT_HOST=nextcloud.${NGINX_HOST}
      - POSTGRES_HOST=pgsqlserver
      - POSTGRES_PORT=5432
      - POSTGRES_DB=nextcloud
      - POSTGRES_USER=nextcloud
      - POSTGRES_PASSWORD=${SQL_PSWD}
      - NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.${NGINX_HOST}
      - NEXTCLOUD_ADMIN_USER=penny
      - NEXTCLOUD_ADMIN_PASSWORD=${SQL_PSWD}
      - SMTP_HOST=mailserver
      - SMTP_SECURE=tls
      - SMTP_NAME=admin@${NGINX_HOST}
      - SMTP_PASSWORD=${SQL_PSWD}
    depends_on:
      - pgsqlserver
    links:
      - pgsqlserver
    expose:
-      - "5432"
+      - "9000"
    volumes:
      - nextcloud_data:/var/www/html:z
      - nextcloud_data:/var/www/nextcloud:z
  gitea:
    <<: *defaults
    container_name: gitea
    image: gitea/gitea
    restart: always
    environment:
      - VIRTUAL_HOST=git.${NGINX_HOST}
      - VIRTUAL_PORT=3000
@ -85,9 +122,9 @@ services:
    volumes:
      - mail_html:/var/www/html:z
      - mail_html:/var/www/roundcube:z
      - ./config/mail/config.php:/var/roundcube/config/${NGINX_HOST}.php:ro,z
  mailserver:
    build: ./config/mail
    <<: *defaults
    image: mailserver/docker-mailserver:latest
    container_name: mailserver
@ -101,7 +138,7 @@ services:
      - "587:587"
      - "993:993"
    volumes:
-      - nginx_certs:/etc/letsencrypt/live/:ro,z
+      - nginx_certs:/etc/letsencrypt/live:ro,z
      - mail_data:/var/mail/:z
      - mail_state:/var/mail-state/:z
      - mail_config:/tmp/docker-mailserver/:z
@ -109,13 +146,11 @@ services:
      - NET_ADMIN
    depends_on:
      - ddnsgd
    restart: always
  reverse-proxy:
    <<: *defaults
    image: nginxproxy/nginx-proxy
    container_name: nginx-proxy
    restart: always
    environment:
      - DEFAULT_EMAIL=admin@${NGINX_HOST}
    ports:
@ -128,7 +163,10 @@ services:
      - nginx_certs:/etc/nginx/certs/:z
      - nginx_vhost:/etc/nginx/vhost.d/:z
      - mail_html:/var/www/roundcube:z
      - nextcloud_data:/var/www/nextcloud:z
      - ./config/nginx/inbox_location:/etc/nginx/vhost.d/inbox.${NGINX_HOST}_location:ro,z
      - ./config/nginx/nextcloud_location:/etc/nginx/vhost.d/nextcloud.${NGINX_HOST}_location:ro,z
      - ./config/nginx/header_default:/etc/nginx/vhost.d/default:z
      - /var/run/docker.sock:/tmp/docker.sock:ro,z
    depends_on:
      - ddnsgd
@ -137,7 +175,6 @@ services:
    <<: *defaults
    image: nginxproxy/acme-companion
    container_name: nginx-proxy-acme
    restart: always
    volumes_from:
      - reverse-proxy
    volumes:
@ -150,7 +187,6 @@ services:
    <<: *defaults
    container_name: "ddnsgd"
    image: "ghcr.io/dominickbrasileiro/ddnsgd"
    restart: "always"
    environment:
      - HOSTNAME=${NGINX_HOST}
      - USERNAME=${DNS_USERNAME}
@ -159,6 +195,8 @@ services:
 volumes:
  acme-state:
  gitea_data:
  hugo_data:
  nextcloud_data:
  nginx_certs:
  nginx_dhparam:
  nginx_html: